From 1377ee2653aec0802b8b114a02a5fcfb43777c0b Mon Sep 17 00:00:00 2001
From: Christian Mehlmauer <firefart@gmail.com>
Date: Sun, 13 Jan 2013 21:08:07 +0100
Subject: [PATCH] added metasploit references

---
 data/plugin_vulns.xml          |  5 +++
 lib/common_helper.rb           |  6 +++
 lib/wpscan/vulnerable.rb       |  3 +-
 lib/wpscan/wp_vulnerability.rb | 11 +++---
 wpscan.rb                      | 72 +++++++++-------------------------
 5 files changed, 37 insertions(+), 60 deletions(-)

diff --git a/data/plugin_vulns.xml b/data/plugin_vulns.xml
index c09b8228..724f0939 100644
--- a/data/plugin_vulns.xml
+++ b/data/plugin_vulns.xml
@@ -26,6 +26,9 @@ ryandewhurst at gmail
     <vulnerability>
       <title></title>
       <reference></reference>
+      <reference></reference>
+      <metasploit></metasploit>
+      <metasploit></metasploit>
       <type></type>
     </vulnerability>
   </plugin>
@@ -141,6 +144,7 @@ ryandewhurst at gmail
       <title>Google Document Embedder Arbitrary File Disclosure</title>
       <reference>http://www.exploit-db.com/exploits/23970/</reference>
       <reference>http://ceriksen.com/2013/01/03/wordpress-google-document-embedder-arbitrary-file-disclosure/</reference>
+      <metasploit>exploit/unix/webapp/wp_google_document_embedder_exec</metasploit>
       <type>UNKNOWN</type>
     </vulnerability>
   </plugin>
@@ -256,6 +260,7 @@ ryandewhurst at gmail
     <vulnerability>
       <title>Advanced Custom Fields &lt;= 3.5.1 Remote File Inclusion</title>
       <reference>http://packetstormsecurity.com/files/119221/wp_advanced_custom_fields_exec.rb.txt</reference>
+      <metasploit>exploit/unix/webapp/wp_advanced_custom_fields_exec</metasploit>
       <type>RFI</type>
     </vulnerability>
   </plugin>
diff --git a/lib/common_helper.rb b/lib/common_helper.rb
index 28ee88e8..2e169cd5 100644
--- a/lib/common_helper.rb
+++ b/lib/common_helper.rb
@@ -139,3 +139,9 @@ end
 def green(text)
   colorize(text, 32)
 end
+
+def get_metasploit_url(module_path)
+  # remove leading slash
+  module_path = module_path.sub(/^\//, "")
+  "http://www.metasploit.com/modules/#{module_path}"
+end
diff --git a/lib/wpscan/vulnerable.rb b/lib/wpscan/vulnerable.rb
index 0353bc0b..e23ef176 100644
--- a/lib/wpscan/vulnerable.rb
+++ b/lib/wpscan/vulnerable.rb
@@ -32,7 +32,8 @@ class Vulnerable
       vulnerabilities << WpVulnerability.new(
         node.search("title").text,
         node.search("reference").map(&:text),
-        node.search("type").text
+        node.search("type").text,
+        node.search("metasploit").map(&:text)
       )
     end
     vulnerabilities
diff --git a/lib/wpscan/wp_vulnerability.rb b/lib/wpscan/wp_vulnerability.rb
index adaa7fc7..d8666b76 100644
--- a/lib/wpscan/wp_vulnerability.rb
+++ b/lib/wpscan/wp_vulnerability.rb
@@ -17,11 +17,12 @@
 #++
 
 class WpVulnerability
-  attr_accessor :title, :references, :type
+  attr_accessor :title, :references, :type, :metasploit_modules
 
-  def initialize(title, references, type)
-    @title      = title
-    @references = references
-    @type       = type
+  def initialize(title, references, type, metasploit_modules)
+    @title              = title
+    @references         = references
+    @type               = type
+    @metasploit_modules = metasploit_modules
   end
 end
diff --git a/wpscan.rb b/wpscan.rb
index ad171315..1ed907d9 100755
--- a/wpscan.rb
+++ b/wpscan.rb
@@ -21,6 +21,19 @@
 $: << '.'
 require File.dirname(__FILE__) +'/lib/wpscan/wpscan_helper'
 
+def output_vulnerabilities(vulns)
+  vulns.each do |vulnerability|
+    puts
+    puts " | " + red("* Title: #{vulnerability.title}")
+    vulnerability.references.each do |r|
+      puts " | " + red("* Reference: #{r}")
+    end
+    vulnerability.metasploit_modules.each do |m|
+      puts " | " + red("* Metasploit module: #{get_metasploit_url(m)}")
+    end
+  end
+end
+
 banner()
 
 begin
@@ -119,13 +132,7 @@ begin
     theme_vulnerabilities = wp_theme.vulnerabilities
     unless theme_vulnerabilities.empty?
       puts red("[!]") + " We have identified #{theme_vulnerabilities.size} vulnerabilities for this theme :"
-      theme_vulnerabilities.each do |vulnerability|
-        puts
-        puts " | " + red("* Title: #{vulnerability.title}")
-        vulnerability.references.each do |r|
-          puts " | " + red("* Reference: #{r}")
-        end
-      end
+      output_vulnerabilities(theme_vulnerabilities)
       puts
     end
   end
@@ -182,13 +189,7 @@ begin
     unless version_vulnerabilities.empty?
       puts
       puts red("[!]") + " We have identified #{version_vulnerabilities.size} vulnerabilities from the version number :"
-      version_vulnerabilities.each do |vulnerability|
-        puts
-        puts " | " + red("* Title: #{vulnerability.title}")
-        vulnerability.references.each do |r|
-          puts " | " + red("* Reference: #{r}")
-        end
-      end
+      output_vulnerabilities(version_vulnerabilities)
     end
   end
 
@@ -206,13 +207,7 @@ begin
         puts " | Location: #{plugin.get_full_url}"
         puts " | WordPress: #{plugin.wp_org_url}"
 
-        plugin.vulnerabilities.each do |vulnerability|
-          puts " |"
-          puts " | " + red("[!] #{vulnerability.title}")
-          vulnerability.references.each do |r|
-            puts " | " + red("* Reference: #{r}")
-          end
-        end
+        output_vulnerabilities(plugin.vulnerabilities)
       end
     else
       puts "No plugins found :("
@@ -251,24 +246,7 @@ begin
         puts " | Readme: #{plugin.readme_url}" if plugin.has_readme?
         puts " | Changelog: #{plugin.changelog_url}" if plugin.has_changelog?
 
-        plugin.vulnerabilities.each do |vulnerability|
-          #vulnerability['vulnerability'][0]['uri'] == nil ? "" : uri = vulnerability['vulnerability'][0]['uri'] # uri
-          #vulnerability['vulnerability'][0]['postdata'] == nil ? "" : postdata = CGI.unescapeHTML(vulnerability['vulnerability'][0]['postdata']) # postdata
-
-          puts " |"
-          puts " | " + red("[!] #{vulnerability.title}")
-          vulnerability.references.each do |r|
-            puts " | " + red("* Reference: #{r}")
-          end
-
-          # This has been commented out as MSF are moving from
-          # XML-RPC to MessagePack.
-          # I need to get to grips with the new way of communicating
-          # with MSF and implement new code.
-
-          # check if vuln is exploitable
-          #Exploit.new(url, type, uri, postdata.to_s, use_proxy, proxy_addr, proxy_port)
-        end
+        output_vulnerabilities(plugin.vulnerabilities)
 
         if plugin.error_log?
           puts " | " + red("[!]") + " A WordPress error_log file has been found : #{plugin.error_log_url}"
@@ -311,21 +289,7 @@ begin
         puts " | Readme: #{theme.readme_url}" if theme.has_readme?
         puts " | Changelog: #{theme.changelog_url}" if theme.has_changelog?
 
-        theme.vulnerabilities.each do |vulnerability|
-          puts " |"
-          puts " | " + red("[!] #{vulnerability.title}")
-          vulnerability.references.each do |r|
-            puts " | " + red("* Reference: #{r}")
-          end
-
-          # This has been commented out as MSF are moving from
-          # XML-RPC to MessagePack.
-          # I need to get to grips with the new way of communicating
-          # with MSF and implement new code.
-
-          # check if vuln is exploitable
-          #Exploit.new(url, type, uri, postdata.to_s, use_proxy, proxy_addr, proxy_port)
-        end
+        output_vulnerabilities(theme.vulnerabilities)
       end
     else
       puts